[Interest] SSL & Let's Encrypt certificate expiration
Thiago Macieira
thiago.macieira at intel.com
Wed Oct 6 17:53:13 CEST 2021
On Wednesday, 6 October 2021 02:41:39 PDT Hamish Moffatt via Interest wrote:
> I upgraded to 1.0.2u and added the X1 root directly to Qt. Now the
> application works. But the instructions from OpenSSL say to also remove
> the X3 root which I'm not able to do (it's loaded from Windows), so I am
> puzzled by why this works. I have not done anything special when
> generating my certificates like requesting the alternate certificate chain.
If OpenSSL has any path to a still-valid root certificate, then it can ignore
the others. That's one way of dealing with expirations: you add a new link in
the chain that will continue to be valid when the other path(s) aren't. You
can also prune the tree that isn't necessary any more -- I looked into what
Let's Encrypt has been giving me for months and it hasn't included the
expiring certificate in the certchain.pem collection.
The other way is to reissue everything with new roots and update EVERYTHING
before the earliest expiration. That's far more work, but clearly has fewer
issues.
> I have Qt 5.15 (OpenSSL 1.1) applications deployed on Debian 10 and have
> not had to do anything to keep that working.
Same here for everything on my up-to-date Linux. The only reason I know this
is happening is an Android application (Blackberry Hub).
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel DPG Cloud Engineering
More information about the Interest
mailing list